Re: CRL checking error

Ben Laurie Tue, 06 Jun 2000 03:51:53 -0700
This should not be posted to -dev.

Cheers,

Ben.

Tatsuya Yoshida wrote:
> 
> Hello:
> 
> I am testing CRL check behaviors using apache_1.3.12 plus mod_ssl-2.6.4
> plus openssl-0.9.5a.
> I have tested three CRLs issued by three different CAs: Windows2000
> Enterprise CA,CMS4.1 and another CA.
> Although successful with Windows2000 Enterprise CA CRL,
> I always get the "CRL signature failure" error message when checking
> the twoother CAs' CRLs.
> All the CRLs are in the version2 format and their details are shown
> below.
> 
> 1. Windows2000 Enterprise CA CRL(checking is successful with this one)
>   Certificate Revocation List (CRL):
>         Version 2 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: /Email=**/C=**/ST=**/L=**/O=**/
>                OU=**/CN=**
>         Last Update: Jun  5 07:26:40 2000 GMT
>         Next Update: Jun  5 09:01:40 2000 GMT
>         CRL extensions:
>             X509v3 Authority Key Identifier:
>                 keyid:5F:BD:4E:7A:57:87:FC:9F:7E:F6:F3:DA:36:8E:
>                       C6:17:F2:FD:3A:40
> 
>             1.3.6.1.4.1.311.21.1:
>   Revoked Certificates:
>     Serial Number: 01270EC80000000007FA
>         Revocation Date: Jun  5 07:36:11 2000 GMT
>                 ...
> 
> 2. CMS4.1CRL（checking fails）
>   Certificate Revocation List (CRL):
>         Version 2 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: /C=**/ST=**/L**/O=**/OU=**/CN=**
>         Last Update: Jun  5 08:25:33 2000 GMT
>         Next Update: Jun  5 10:25:33 2000 GMT
>   Revoked Certificates:
>     Serial Number: 05
>         Revocation Date: May 17 11:07:13 2000 GMT
>             CRL Reason Code:
>                 Unspecified
>                 ...
> 
> 3. Another CA CRL（checking fails）
>   Certificate Revocation List (CRL):
>         Version 2 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: /C=**/O=**/CN=**
>         Last Update: May  8 16:00:03 2000 GMT
>         Next Update: Jun  7 16:00:00 2000 GMT
>   Revoked Certificates:
>     Serial Number: 3BB6B4DF00000003
>         Revocation Date: Nov 17 09:20:45 1999 GMT
>                 ...
> 
> As shown above, the successfully checked W2K CRL has CRL extensions
> setting,X509v3 Authority Key Identifier, which the other two CAs
> have not.
> When checking v2 CRLs with mod_ssl(openssl), is it necessary to set
> at least one CRL extension ?  Or is the specific Authority Key
> Identifier extension critical?
> Or is there anything else that causes the "CRL signature failure"?
> 
> Any information would help me.
> Thank you,
> Tatsuya Yoshida
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: CRL checking error

Reply via email to
